Actuation System for a Drive Unit of a Motor Vehicle

ABSTRACT

The invention relates to an actuation system for a drive unit of a motor vehicle, having a drive control unit ( 1 ) which is assigned to the drive unit and which has a function level ( 3 ) and a function monitoring level ( 4 ), a first data transmission device ( 5 ) which is arranged in the function level ( 3 ), and is connected to a separate external control unit ( 2 ) via a first communication path (A) via which a predefined setpoint torque (Msoll) can be forwarded from the external control unit ( 2 ) to the first data transmission device ( 5 ). 
     The object of the invention is to provide a highly available actuation system. 
     According to the invention, the object is achieved in that the drive control unit ( 1 ) has a second data transmission device ( 6 ), and is additionally connected to the external control unit ( 2 ) via a second communication path (B), wherein the predefined setpoint torque (Msoll) can be forwarded from the external control unit ( 2 ) to the second data transmission device ( 5 ) via the second communication path.

The invention relates to an actuation system for a drive unit of a motor vehicle as claimed in the preamble of claim 1.

The monitoring of control units of an actuation system of a drive unit is generally embodied as a three level monitoring concept. Such a monitoring concept is known from document DE 44 38 714 A1. It describes a method and a device for controlling the drive power of a vehicle comprising a microcomputer with at least two independent levels, wherein a first level carries out the control functions and a second level carries out the monitoring functions. A third level forms a control level which controls the monitoring level and therefore the microcomputer.

The object of the invention is to provide a highly available actuation system.

This object is achieved according to the invention by means of the features of claim 1.

According to the invention, the object is achieved in that the drive control unit has a second data transmission device, and is additionally connected to the external control unit via a second communication path, wherein the predefined setpoint torque can be forwarded from the external control unit to the second data transmission device via the second communication path.

This has the advantage that in the event of a failure of one of the communication paths, a second communication path is still available for transmitting data. This increases the availability of the actuation system.

In one embodiment, when a fault is detected in the data transmission of a data transmission device by means of the drive control unit and when the fault is present for a shorter time than a predefined time period, the last fault-free data of this data transmission device can be retained. Changes in the predefined setpoint values do not usually take place in an irregular fashion. For this reason, retaining the old value constitutes a good approximation of a missing value for short interruptions. It is therefore possible to compensate short-term faults without resorting to the data of the other communication path.

In one embodiment, when a fault is detected in the data transmission of a data transmission device by means of the drive control unit, the data of the respective other data transmission device can be transferred if the fault is present for longer than a predefined time period. Since the same data are transmitted in both data transmission devices, the data of one data transmission device which are transmitted incorrectly can be replaced by the data of the respective other data transmission device. The quality of the data is therefore ensured even if one of the data transmission devices fails.

In one embodiment, when a fault is detected in the data transmission of both data transmission devices by means of the drive control unit, a setpoint torque with the value zero can be predefined if the fault is present for longer than the predefined time period. This ensures that the drive unit is operated in a permitted, safe state.

In one embodiment, a fault signal can be stored in the drive control unit. This permits the fault to be signaled to the driver and/or to be detected and eliminated within the scope of an external diagnosis by servicing personnel.

In one embodiment, this state can be retained until the next restart of the drive. It is therefore possible, given persistently occurring faults, to operate the system continuously up to the next restart in a safe state and to signal the fault. This avoids an undefined state occurring.

In one embodiment, each of the two communication paths can be assigned a separate identifier on the basis of which it is possible to detect via which communication path a setpoint torque of the control unit has been transmitted. It is therefore possible to assign to the data the communication path over which said data have been fed to the control unit. This facilitates later evaluation.

In one embodiment, the same setpoint torque can be transmitted with the same message frequency to the respectively assigned data transmission device via both communication paths. This facilitates the synchronized reconciliation of the data of the two communication paths and the detection of faults.

In one embodiment, the same setpoint torque can be transmitted with the same message counter and with the same checksum to the respectively assigned data transmission device via both communication paths. This also facilitates the synchronized reconciliation of the data of the two communication paths and improves the detection of faults.

In one embodiment, the second data transmission device is arranged in the function monitoring level. It is therefore possible to continue the transmission of data even if one of the levels, the function level or the function monitoring level, has a fault in the data transmission.

In one embodiment, the data of the two data transmission devices can be evaluated in parallel with one another by means of the drive control unit. It is therefore possible to continue the data transmission even if one of the levels, the function level or the function monitoring level, is operating incorrectly.

Further advantages and refinements emerge from the subclaims and the descriptions. In this context, the figure shows an embodiment of the actuation system according to the invention.

All the devices and other components of the control unit which are illustrated in FIG. 1 to FIG. 4 can equally well be embodied as an electronic component, as a functionality or memory area of a computer module, as a software or the like.

The figure shows a drive control unit 1 of a drive unit and a second separate, external control unit 2.

The figure illustrates a drive control unit 1 which is assigned to a drive unit (not illustrated). The drive unit is controlled by this drive control unit 1. The drive unit can be, for example, as an electric machine, as an internal combustion engine or the like.

The drive control unit 1 has a function level 3 and a function monitoring level 4. The figure also shows a second external control unit 2. The latter may be, for example, a central drive control unit for coordinating a plurality of drive units (hybrid control unit), the vehicle control unit or the control unit of an internal combustion engine.

This external control unit 2 is connected to the drive control unit 1 via two communication paths A and B.

The drive control unit 1 has two data transmission units 5 and 6. The data transmission unit 5 is arranged in the function level 3. The data transmission unit 6 is arranged in the function monitoring level 4. The communication path A connects the external control unit 2 to the data transmission unit 5 of the function level 3 of the drive control unit 1. The communication path B connects the external control unit 2 to the data transmission unit 6 of the function monitoring level 4 of the drive control unit 1.

The external control unit 2 transmits a setpoint torque Msoll to the drive control unit 1 of the drive unit via the communication paths A and B. In this context, the identical setpoint torque Msoll is transmitted by the communication paths A and B. In this context, the information indicating over which of the communication paths (A or B) the transmitted setpoint torque Msoll has been transmitted is added to said setpoint torque Msoll. Correspondingly, in FIG. 1 the setpoint torque is characterized as Msoll_A and Msoll_B, respectively.

The setpoint torque Msoll is transmitted on the two communication paths A and B with the same clocking frequency and with assignment of the same message counter. In this context, in each case a checksum is assigned to the setpoint torque Msoll_A and Msoll_B, respectively. It is therefore possible to assign identical values for the setpoint torque Msoll, transmitted in parallel and simultaneously on the communication paths A and B, by virtue of the fact that the message counter corresponds and the checksums are identical to one another.

The setpoint torque Msoll_A which is transmitted via the communication path A is forwarded from the data transmission device 5 to a device 7 of the function level 3 and a device 11 of the function monitoring level 4.

The setpoint torque Msoll_B which is transmitted via the communication path B is forwarded by the data transmission device 6 to a device 8 of the function level 3 and a device 10 of the function monitoring level 4.

In a device 9 of the function level 3, the data of the device 7 and of the device 8 are compared with one another. In the process it is checked whether the data from communication path A and communication path B are at update state. This is the case if the message counter has the same value for the data of communication path A and the data of communication path B. Furthermore it is checked whether in each case the checksum is correct and corresponds to that of the data of the other communication path. Subsequently, the setpoint torque Msoll_F which is to be output by the device 9 of the function level 3 is acquired.

A fault is detected if a message has been lost, the checksum is incorrect, or a fault has been detected in the message counter (value of the message counter is the same as that of the last message or greater by more than one). Lost messages lead to a reversible fault reaction, and a fault in the checksum or in the message counter leads to an irreversible reaction which is maintained until the next time the engine is started.

The acquisition of torque in the function level 3 is illustrated in the following table:

Fault Fault in A? in B? Msoll_FA Msoll_FB Msoll_F No No Positive Positive Min [Msoll_FA, Msoll_FB] No No Negative Negative Max [Msoll_FA, Msoll_FB] No No Positive Negative Zero No No Negative Positive Zero No Yes Equal Fault Msoll_FA (fault signal for Msoll_FB) Yes No Fault Equal Msoll_FB (fault signal for Msoll_FA) Yes Yes Fault Fault Zero

If there are no transmission faults in the communication path A or B and if the two setpoint torques Msoll_FA and Msoll_A have the same sign, the device 9 outputs the lower of the two values. If both values are positive, this corresponds to the minimum Min [Msoll_FA, Msoll_FB] of the values for the setpoint torque. If both values are negative, this corresponds to the maximum Max [Msoll_FA, Msoll_FB] of the values for the setpoint torque.

If there is no transmission fault present but the two setpoint torques Msoll_FA and Msoll_A have a different sign, the device 9 outputs a setpoint torque Msoll_F with the value zero.

If a transmission fault is present in one of the communication paths A or B, the device 9 or the device 7 or 8 arranged upstream thereof transfers the last value which was transmitted in a fault-free fashion on the respective communication path A or B if the fault does not last for longer than a predefined time period (debouncing time).

If there is a transmission fault present in one of the communication paths A or B which lasts for longer than this predefined debouncing time, the device 9 outputs the setpoint torque Msoll_A or respectively Msoll_FA of the other, fault-free communication path B or respectively A as a setpoint torque Msoll_F.

If there is a transmission fault in both transmission paths A and B, the device 9 outputs a setpoint torque Msoll_F with the value zero.

In a device 12 of the function monitoring level 4, the data of the device 10 and of the device 11 are compared with one another. In the process, the message counter is used to check whether the data from communication path A and the data from communication path B have the same update state. Furthermore, it is checked whether the checksums are correct and correspond.

The acquisition of torque in the function monitoring level 4 corresponds to that in the function level 3 and is therefore not explained again in detail.

In this way, the two communication paths A and B in the function level 3 and the function monitoring level 4 are evaluated in parallel with one another. This both improves the detection of faults and the fault compensation possibilities. 

1. An actuation system for a drive unit of a motor vehicle, having a drive control unit (1) which is assigned to the drive unit and which has: a function level (3) and a function monitoring level (4), a first data transmission device (5) which is arranged in the function level (3), and is connected to a separate external control unit (2) via a first communication path (A) via which a predefined setpoint torque (Msoll_A) can be forwarded from the external control unit (2) to the first data transmission device (5), characterized in that the drive control unit (1) has: a second data transmission device (6), and is additionally connected to the external control unit (2) via a second communication path (B), wherein the predefined setpoint torque (Msoll_B) can be forwarded from the external control unit (2) to the second data transmission device (5) via the second communication path.
 2. The actuation system as claimed in claim 1, characterized in that, when a fault is detected in the data transmission of a data transmission device (5; 6) by means of the drive control unit (1) and when the fault is present for a shorter time than a predefined time period (T_Grenz), the last fault-free data of this data transmission device (5; 6) can be retained.
 3. The actuation system as claimed in claim 1, characterized in that, when a fault is detected in the data transmission of a data transmission device (5; 6) by means of the drive control unit (1), the data of the respective other data transmission device (6; 5) can be transferred if the fault is present for longer than a predefined time period (T_Grenz).
 4. The actuation system as claimed in claim 3, characterized in that, when a fault is detected in the data transmission of both data transmission devices (5, 6) by means of the drive control unit (1), a setpoint toque with the value zero can be predefined if the fault is present for longer than the predefined time period (T_Grenz).
 5. The actuation system as claimed in claim 3 or 4, characterized in that a fault signal can be stored in the drive control unit (1).
 6. The actuation system as claimed in claim 4 or 5, characterized in that this state can be retained until the next restart of the drive.
 7. The actuation system as claimed in claim 1, characterized in that each of the two communication paths (A, B) can be assigned a separate identifier on the basis of which it is possible to detect via which communication path a setpoint torque of the control unit (1) has been transmitted.
 8. The actuation system as claimed in claim 1, characterized in that the same setpoint torque (Msoll_A, Msoll_B) can be transmitted with the same message frequency to the respectively assigned data transmission device (5, 6) via both communication paths (A, B).
 9. The actuation system as claimed in claim 1, characterized in that the same setpoint torque (Msoll_A, Msoll_B) can be transmitted with the same message counter and with the same checksum to the respectively assigned data transmission device (5; 6) via both communication paths (A, B).
 10. The actuation system as claimed in claim 1, characterized in that the second data transmission device (6) is arranged in the function monitoring level (4).
 11. The actuation system as claimed in claim 1, characterized in that the data of the two data transmission devices (5, 6) can be evaluated in parallel with one another by means of the drive control unit (1).
 12. The actuation system as claimed in claim 1, characterized in that the drive unit is an electric machine.
 13. The actuation system as claimed in claim 1, characterized in that a plurality of drive units are provided. 